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I. INTRODUCTION 


Fault trees are used in many fields of application to 
aid in assessing the probability of failure of a complex 
binary system as a result of sub-system or component failures. 
An algorithm is ieee cad here for computing the exact failure 
probability for binary systems represented as fault trees. 
Due to the improved efficiency of this algorithm over those 
currently in use, reliability engineers and other users will 
find it useful for conducting fault tree analyses in which 
multiple computations of failure probabilities are needed. 

Fault trees are commonly used models to represent failures 
in complex electrical, mechanical, and other systems. Their 
use' originated in 1961 at Bell Telephone Laboratories in the 
safety assessment of the Minuteman Launch-Control System 
[Ref. 1]. Since then many other applications for fault trees 
have been found. Arnborg [Ref. 2] refers to their use in 
weapons effectiveness models, and Atkinson [Ref. 3] uses a 
fault tree model to analyze a naval weapons system. Ball 
[Ref. 4] uses fault trees to identify critical zones and 
components of aircraft subjected to anti-aircraft fire. Other 
areas in which fault tree models have been applied include 
nuclear power plant safety [Refs. 5,6,7,8], electrical sys- 
tems [Ref. 9], computer hardware design [Ref. 10], and chemical 


processing [Ref. ll]. 


Efficient methods for computing the probability of system 
failure or, equivalently, system reliability are needed for 
users with large fault trees to analyze. One use for such 
computations iS in obtaining importance measures for basic 
events or component failures. Importance measures are methods 
of assigning numerical values to basic events which in some 
way gauge how critical a component is to system reliability. 
These values are useful for sensitivity analysis. For example 
in an electrical circuit the failure of a component linked in 
series will be more critical to system reliability than will 
the same component linked in parallel. In a complex system 
such structural characteristics may not be so obvious. Impor- 
tance measures will reflect the relative importance to the 
system resulting from system structure and component charac- 
teristics for each component. Lambert [Ref. 12] discusses 
four measures of event importance which can be computed 
exactly or approximately given a method for computing system 
reliability. 

Needs exist for efficient system reliability computations 
for ether uses. Mizukami [Ref. 13] and Derman, et al. [Ref. 
14], discuss constrained problems of resource allocation with 


the objective of maximizing system reliability such as 


max h(p(y)) 


where ve is the amount of resource allocated to component 1, 
p(y) is an m-vector of failure probabilietes or the Come we. 
given y, and h(p(y)) is the systemic tiabriicy = oincen gas) 
is nonlinear, this problem requires a solution using nonlinear 
programming techniques [Ref. 15]. Most of these techniques 
require computation of the objective function gradient at 

each iteration. Each component i in the gradient evaluated 


at y is given by 


yh oliteralon: es 


Thus each gradient computation requires 2m computations of 
h(p(y)). 

In some binary systems the failures of some of the basic 
components are statistically dependent. In these cases, 
computation of system failure probability requires numerical 
integration. For instance, if components i, j, and k are 
dependent while all other component failure probabilities are 
independent, then system failure prebabaeeyeg mean be 


found using 


di ia i 
g(p) = i Re g(p|(p, “X53 Da =* 5 7Rhe ec SG ae cs 


where G(pl (py =X; +P; =X; /Py =X,)) is the system failure 


probability with the probabilities of components i, j, and k 


10 


fixed, and Eee cae) the joint probability density function 
of components i, j, and k. Numerical integration of this 
function requires many computations of system failure proba- 


bility. The more rapidly that g(p|(p, =x,,P, =x.,p, =x,)) 


13 Z 
can be computed, the smaller the increments of numerical 
timeqeaelOneeaiebe, and the mometaccurate g(p) willbe. 

Many fault trees used in applications are quite large. 
Arnborg [Ref. 2] states that some of the military models used 
in practice require as many as 100,000 evaluations of fault 
trees containing as many as 1000 basic components to evaluate 
performance over different tactical situations. Reliability 
optimization, numerical integration, and importance determina- 
tion cannot be performed on some of these larger fault trees 
given current methods. It is obvious that a need exists for 


more efficient methods to compute system failure probability 


for binary systems. 


A. DEFINITIONS AND NOTATION 

A fault tree is used to represent a binary system. A 
btnary system 1s a system in which all components and the 
entire system are assumed to be either completely operational 
or completely failed. A binary system is denoted (C,%) where 
C is the set of components and @¢ is a binary function of the 
component states. Let x, « {0,1} represent the state of the 
ith component of a binary system with m components. The system 
state is given by $(x) « {0,1}, where x = (X)7Xor-+-7X)) is 


the system state vector. If x, = WeecacChmrnie Stale VCCLOr ax 


gL dL 


is written (0. ,x) where me is arbitrany for 4) 7S Seneeac 
x. = l yields a state vector of (1, ,x). Likewise if every 
basic component i is assigned a probability Pay then 

p= (PD) 1Por-+esPy) is a vector of given probabilities. The 
probability of a system failure is given by g{p), and system 
reliability is given by hip) = 1 =ielte)eele P; = QO, then the 
vector p is denoted (0,,p) where e- Maintains 91 eS soma 
value for all j # i. Similarly, setting P; = 1 yields the 
vector (1.,p). 

A binary system can be coherent or noncoherent. A system 
is coherent if @ is monotonically increasing, and all components 
are relevant. Component i is relevant if O(1,,x) # (0, ,x) EOr 
some value of the state vector x. teeth oeo) 22 teatro 
constant in Xs for all, values,o£ 2) ethengcompenen teas 
trrelevant (Ref. 16: p. 6). 

Fault trees are the most commonly used models of binary 
systems. A fault tree is denoted F = (E,L) where E is the set 
Of events, and L is the set of links. An event e, € Eis a 
pair e. = (v.,t;) where Vi Vis the event vertex and t; aed by 
is the event type . Events are connected by links 
oye = 5 ON « L where the ordered pair (Virva) denotes a 
directed link from e. to Sy Link 44 transmits the output 
from event e, to the input of evene Sy The out-degree of 
e; is the number of j such that Bue « IL. The tn-degree 
Oi e. is the number of i such that SIE € ig 

Three graphs. derived from F will be useful. H = aaae) 


is a directed graph with links directed "upward" as in F; 


PZ 


H = (V,L) is similar to H but with its links directed in the 
Opposite, i.e., "downward", direction; and H = (V,L) iS an 
undirected graph where L is L taken as an unordered set. 

A further requirement for F to be a fault tree is that H 
be acyclic and possess a unique vertex ae V5 ong seal 
Vv. “ ‘ee in any acyclic ordering of V. In the graph H, V5 
corresponds to the top event = Cia» the Seate of sehe top 
Sit Smrne soy ao tomestote.o (x). The top event is dependent 
on intermediate and basic events and has out-degree zero. 
Intermediate events (or logte events) are any events with out- 
degrees and in-degrees both greater than zero. A baste event 
represents a system component, and has in-degree zero. The 
number of basic events 1S m. For now, it is assumed that all 
basic events are statistically independent, randomly occurring 
events. 

For examples of fault tree event types consider a model 
of a complex tactical aircraft. This aircraft is composed 
of many basic components such as electrical generators, 
hydraulic pumps, flight control cables, and others for which 
failures can be assumed to be statistically independent. (For 
this aircraft assume that these components are independently 
powered.) The failures of these basic components are repre- 
sented in a fault tree by basic events. Each of these com- 
ponents is a part of a greater system, i.e., electrical, 
hydraulic, and flight controls, respectively. Failures of 


these sub-systems become the intermediate events of the fault 


13 


tree. Failures in basic components cause failures in inter- 
mediate components which may ultimately lead to occurrence 
of the top event, aircraft failure. 

In the fault tree each event has a type, t; e T. For the 
top and intermediate events, t. denotes a logic type, e.g., 
AND, OR, while for basic events, t. is type BASIC. Any event 
with an out-degree greater than one represents a repltcated 
event. The number of replicated events in the fault tree is 
denoted by r. 

Table 1-1 shows the logical operations performed at 2 
on the events e. linked into © by the links ei Aig 

TABLE 1-l 


Logical Operations 


Logic Event Inigvouoles Output 
AND x. for all i s.G.3evev ee i Teiowe 
1 i. os , i 
OR x. for all 1 sS.te ey eee i) | i (gl een) 
1 1 4 1 


K-out-of-N x. £ Oellien Seaton SESE) E L : 
G fOr ) Me ke 
nk 
1 
NOT xs ‘lien. 
1 1 


Logic types included in T are AND, OR, NOT, and (at least) 


K-out-of-N. Other logic types are possible, but these are 
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the most commonly encountered in fault tree models. In fact, 
is etleanemrunecelOns Can pe represented using only logic 
types AND, OR, and NOT. NOT events will always have an out- 
degree and in-degree of one, and their presence implies a 
noncoherent system. Figure 1-1 displays the symbols for 
events to be discussed in this thesis. This thesis will only 
consider these event types since they are the most common, 
and the algorithm developed using these event types can be 
eaSily extended to other types. 

An event tree is a generalization of a fault tree in which 
system operation or failure can be represented. Event trees 
representing failures are usually referred to as fault trees. 
There are no structural or computational differences between 
fault trees and event trees, and the term "fault tree" is 
used throughout this thesis. Another representation of a 
binary system which is used is the reltabtltty network. This 
representation is not considered here since it does not lend 
itself to modeling general binary systems [Ref. 17]. 

A module is a set of basic events which behave as one 
evyerme. Consider a binary system (C,%) with A <¢ C, and let 
x = (X,,Xq)- Tf O(x) = O'(O"(x,) xz), for structure funeetons 
®* and $", then (A,%") is a module [Ref. 16: p. 16]. 

A module in a binary system can often be directly recog- 
nized ina fault tree. Consider the graph H derived from F 
and a specified vertex a twits Connected, and H=v. is 


J 


disconnected, then ve WSea CUuLveverver, and oe is a cut event. 
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MALE c 


AND OR 2-OUT-OF=3 NOT BASIC 


Figure 1-1 Logic Events 
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H axe = {Hy +H, +Hoy--- HS, where each H. is connected for all 
i oMbeehere PSeno Connection between H; and Be OTe Ae 
and where Ho contains the vertex corresponding to the top 
event of F. Let H. = (V,,L,), and E. = fe, : es (v,,t,) 
for all V, € Vit. Then, Fs = (E. te. ,L, U thy. ace Vi ev) 
is an F-module for i=1,2,...,k with cut event eo. The 
non-null union of any combination of these F. is also an 
F-module with cut event sc 

Consider the F-module F' = (Bei) in F. Let e, « B 
be any event connected into the cut event oe by links 
vue e ibe i Ge e, « EB’ £eorv7all i, ehen =. 1s an F-module top, 
and F' is a stmple F-module. If separated from F, a simple 
F-module with an F-module top has the same properties as a 
fault tree. The cut event of a general F-module may have other 
e. connected into it where e. £ E', and therefore does not 
necessarily possess all the fault tree properties. F is 
always an F-module of F. Any other F-module in F is a proper 
F-module. An F-module is trivtal if it contains only one or 
more unreplicated basic events plus the cut event. Any F, 
whose only proper F-modules are trivial, is a prime F-module. 

In a graph H, if a maximal set of vertices Vo ¢ V exists 
such that for every distinct subset of three vertices 


{virVarvy} ¢ V) there exists a path between v, and V5 not 


J 0 
containing v,, then Vo is a biconnected component [Ref. 18: 
Ce Oe) Lpaths from any Vv; € Vg to any vy £ Vy must 
pass through the same vertex ve é Vy for i # j, then ve is 


a cut vertex of Vo: 


ily, 


Computation of any problem on a digital computer requires 
time and storage. Let f be some function of the size of the 
fault tree such as f(|E|) or £(|L)). Then let O(f) bewa 
known linear function of f which provides an upper bound on 
some requirement for the problem. O(f) is the algorithmic 
complexity of the problem for the specific requirement. If 
the requirement is space, then O(f) denotes the storage 
requirement in terms of the problem size, while if the require- 
ment is ttme, it denotes the CPU time required in the same 
ae milo 

Although not utilized in this study, later reference will 
be made to other fault tree algorithms which utilize cut 
sets and path sets. A cut set is a set of basic events whose 
occurrence ensures occurrence of the top event. A cut set 
is mtntmal if no event can be removed while still ensuring 
occurrence of the top event. A patwise leisea Sctsor socianie 
events whose nonoccurrence ensures nonoccurrence of the top 
event. [Ref. 16: p. 9] (This terminology originates from 


network reliability.) 


B. PROBLEM DEFINITION AND COMPLEXITY 

The objective of this thesis is to develop an efficient 
algorithm to compute g(pj> the prebabtetu sol ele TOP sem ie 
of a fault tree. It is assumed that a probability Ps fer 
each basic event in F is known. However, assignment of a 
PEObabit ley p, toa basic event is only correct when certain 


assumptions about the modeled system can be made. These 
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assumptions are valid for the three categories of systems 
described below. 

The first category is the set of non-repairable systems. 
In this case Sai F(T) is the probability that component i 
has failed by time t [Ref. 19]. System failure by time 7Tt 
Enema toe G(Patj). A tactical™arrcraft on a mission is an 
example of a non-repairable system where the interval (0,T) 
represents the time span from takeoff to landing. 

The second category is the set of systems for which com- 
ponent "up" and "down" times form independent renewal processes 
[Ref. 19]. Here, D. is the component "down" time, and U. 
is the component "up" time. The probability that component i 
is "down" or in a failed state at a given instant of time and 
the proportion of time that i will spend in a "down" state 


are both given by 


E(D,) 
a 0 ae Ol ao 


An example of this type of system is an electrical power 
generating station which runs continuously. 

The final category of failures is point failures. Potnzt 
fatlures are realized if a system fails to activate when its 
"on" switch is engaged. In this case p. aniceecaD) Aner s imply 
the probabilities that component i and the system, respectively, 
fail to activate. Point failure is a fair assumption for 


modeling the probability that an aircraft to be flown ona 


i 


mission fails to pass the pre-flight safety checks and conse- 
quently cannot begin the mission. 

Let g(p) denote the probability ei@eiegopeevenmua nm 
fault tree, and let g, (p) denote the probability of occurrence 
of an intermediate event i. Ina fault tree without repli- 
cated events, computation of g(p) is easy. Since the top 
and intermediate events are represented by logic events, Sr 
their probability can be computed directly if the events, e., 
fOr. a Ll Ase see Sue ea)! « TL are all mutually independent and 


have known probabilities. The equations used to compute these 


probabilities are found in Table 1-2. 


TABLE l-2 


Logic Event Probabilities 


Event Type Computation 
AND Ba ID = Ip, 
a 
OR 9.4 p) =e La oe -p,) 


2-out-of-3 3 (p) = Sr ae a (l-p))P5P3 +p, (1-po)P3 


NOT oe) —— ae PD; 


Hwang [Ref. 20] and Shanthikumar [Ref. 21] provide recursive 
algorithms for general K-out-of-N systems which operate in 


polynomial time. Using these equations g{p)§can be weouncwhy 
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computing G4 {p) at each logic event from the bottom of the 
fault tree to the top event. This procedure can be used in 
any fault tree without replicated events. Computation of 


top event probability for a fault tree in this case can be 


accomplished in time O(|L|) in space O(|L|). (Since H is 
assumed connected, |L| > |E| - 1, and O(|E| + |L|) is effec- 
tively OG) Referring to Figure 1-2a, F is searched from 
Hiomeop CvVChiadewnward ,04.e., f£Lollowing re When an intermedi- 


ate event which has only basic input events is found, the 
probability of the intermediate event is computed, and it 
becomes a basic event. The search continues, gradually 
reducing all intermediate events to basic events in a back- 
tracking procedure until the top event probability is computed. 
PiccemtemMect tons sabe simple reductions, and a formal algorithm 
to perform them is given in Chapter II. 

The assumption of independence among input events which 
allows simple reductions cannot be made throughout a fault 
tree containing replicated events. Any two events e; and e. 
which are on separate directed paths from the same replicated 


event e, cannot be assumed to be independent since the states 


k 


Oi e. and C5 both depend on e Replicated events complicate 


K° 
the computation of top event probability. In fact, Rosenthal 
nlove (mec uprEemlen one computing g{p) for a fault tree F 
SChlediniiauscplvedted eyents to be a member of the class of 


nondeterministic polynomial hard (NP hard) problems [Ref. 22]. 


Consequently, no algorithm exists or is likely to be developed 


pI. 


to compute g(p) in time bounded by a polynomial function of 
the number of events [Ref. 23: p. 113]. The best known upper 
bound on time for any algorithm to solve g(p) is an exponen- 
tial function of the problem size. The best known bound on 
Space, however, is polynomial. 

Despite the inherent exponential complexity of the prob- 
[(eitets str poss lo lesto exactly#compute g(p) for many 
moderate sized fault trees. It is the purpose of this study 
to take advantage of structural properties of fault trees 
to extend the range of problems for which exact probabilities 
can be computed. The method described for use ina fault 
tree with no replicated events will be useful as a subroutine 


in a more general algorithm. 


C. COMPUTATIONAL METHODS 

Several different exact and approximate methods for 
probabilistic analysis of fault trees have been developed 
for fault trees with replicated events. Most of these methods 
ignore the topological structure of the fault tree while rely- 
Pi cmoOtciiemoomeenuneratton to compute gip)..Because of the 
Mot tilecrcne vem ciescemcemoas, Cxact values Of g(p) are not 
computable for large systems and must be approximated by use 
of upper and lower bounds or Monte Carlo simulation. 

1. Existing Methods 

Current methods for computing g(p) for binary systems 

represented as fault trees can be placed into two categories, 


those using cut sets and those not using cut sets. Methods 
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which use cut sets include "inclusion-exclusion" [Ref. 24: 
p. 98-101], “sum of disjoint products” [Rets. 25, 26imeamd 
"sl" (Ref. 27]. A common reguirement of these methods is the 
enumeration and storage of all cut sets. The number of cut 
sets in a binary system can be exponential in the size of 
the system. Therefore, for a large system these methods may 
be limited to approximations for g(p). Using the anelusione 
exclusion and sum of disjoint products methods the generation 
of all terms needed for computaragm or  a(p) is exponential 
in the number of cut sets. Consequently, for both of these 
methods the complexity is exponential on an exponential 
function of the problem size. Most methods which depend on 
cut sets never take advantage of the structure of the systems 
they model, such as the presence of modules or other simpli- 
fying properties, and, consequently, are guaranteed to always 
require large amounts Gf time and space = -emecompure gig) 
rl, which locates independent blocks of cut sets and evalu- 
ates them separately, can achieve exponentially better effi- 
ciency than the sum of disjoint products methods. 

Two methods which do not use cut sets are "“PAFT F77" 
[Ref. 28] and "reduced state enumeration" [Ref. 2]. These 
methods are based on the fault tree model of a binary system. 
PAFT F77 removes all replicated basic events by conditioning 
and then uses simple reductions £6 cenpuatemgs ge tees momma 
does not allow replicated intermediate events, and is 


guaranteed an actual complexity factor which is exponential 
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in the number of replicated basic events. Reduced state 
enumeration enumerates the states of each replicated event 
e, over any cut event ae Reduction is achieved since the 
states of all e5 below Su can be replaced by the states of 
e. in an expression for the states of some ey above es. 
This method is only useful, however, when no prime F-modules 
of the fault tree contain a large number of replicated events. 

Of the methods discussed above only PAFT F77 takes 
advantage of topological reductions and then only in a crude 
manner. This thesis applies probabilistic structural reduc- 
tions to fault trees. Although theoretical complexity remains 
exponential in the number of replicated events, actual com- 
plexity will be reduced by these reductions. 

Zee Recursive Pivotal Decemposition 

Let g(F) denote the system failure probability for 
a particular fault tree F. If F has no replicated events, 
g(F) may be computed by repeated application of simple reduc- 
tions. When F is reduced to a single basic event Se 
qG(F) = Ps: If, after all simple reductions have been made, 
F is not reduced to a single event, some replicated basic 
event e. must remain. From the theorem of total probability, 


for any remaining basic event e; 


g(p) = p.gll;,p) + (1 -p,)g(0;,p) 


for a binary system. This is the equation for ptvotal 


decomposittton. For a fault tree the equation becomes 
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g(F) p.g(F|x, =1) se Albeo) GUase all) 
p,g(F,) + (1 -p,)g(Fo) 


where Fy is a fault tree derived from F given that e. has 


occurred, and F, is a fault tree derived from F given that 


0 
e. has not occurred. If simple reductions completely reduce 
BL and Fos then g(F,) and g(Fo) are computed, and g(F) can 
then be computed. If not, events in Fy and/or Fo are selected 


for conditioning, and the procedure is repeated recursively 
until all failure probabilities can be computed through simple 
reductions or until conditioning implies g(F, |x, ) =".Q0e@or ale 
Figure 1-3 shows a recursive decomposition of a fault tree F. 

Recursive pivotal decomposition is further enhanced 
by identification of proper F-modules. If simple reductions 
fail to reduce F to a basic event Cas then F may contain a 
non-trivial F-module F'. If F' is a simple, propexs F-module 
with module top So then pivotal decomposition may be applied 
to compute g(F'). F can then be replaced by F -F' (Bo where 
Ee = BASIC, and Des = g(F'). Using this modularvtzatton an 
exponential reduction in computation can be achieved, especially 
when repeated on recursively produced fault trees. 

For small fault trees pivotal decomposition may be 
repeated quickly to compute ¢g (M)ii Op iteeeitee cee ole cmon 
when necessary as in the constrained reliability maximization 


problem. For moderate to large-sized fault trees it may be 
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possible to use pivotal decomposition to compute g(F) once 

in a reasonable amount of time but not multiple times. In 
this case it is possible to perform the simple reductions and 
pivotal decomposition on F without actually computing the 
probabilities in the process but, instead, saving each equa- 
tion which would have been used to compute probabilities. 
When F has been completely reduced, the saved equations form 
an expression for g(p). This expression may now be used for 
rapid recomputations of g(p) without much of the work asso- 
ciated with the original fault tree algorithm. 

Assuming that only replicated events are conditioned, 
time complexity for pivotal decomposition combined with 
Simple reductions is OU 2=|n) > for g(F).* This is true) samec 
ris the greatest recursion level ever required to condition 
r replicated events. The time complexity of the expression 
g(p) will be “adentical to that of gage) @emnceeg(h) wee 
merely execute the computations produced in equational form 
by g(F). Actual time savings will, however, be realized by 
execution Of the expression ¢g(p) "‘stmecesbaitding ss comm, 
and reducing the structure of F is unnecessary. The space 
complexity of storing one fault tree is O(|L]). For each 
step of conditioning, two different reductions must be per- 
formed on the same fault tree. To do this a copy of the cur- 
rent fault tree must be created and stored until it has been 
completely reduced. At the rth level of recursion, r copies 


of the fault tree are being stored. Consequently, the space 
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complexity for g(F) is O(r|L|) . Space complexity for 
Seesage Gest@e express1On gin) es proportional to the 
time complexity of g(F). 

Improvement of the actual time required to compute 
probabilities over existing methods will be attempted by 
taking advantage of fault tree structure, modularizing when 
possible, and exploring the use of some heuristics for 


intelligent conditioning. 


ENS 


IIT. ALGORITHMS 


The main algorithm performs recursive pivotal decomposi- 
tion combined with simple reductions on a fault tree. The 
main features of this algorithm and its supporting elements 
are presented in this chapter. F will be used to denote a 
fault tree with a probability assigned to each basic event. 


For notational simplicity let |F| denote |E| for F = (aia) 


A. FAULTTREE 
Faulttree is the primary algorithm used in this thesis. 
(See Figure 2-1.) The argument F is a simple F-module. [In 
the first call to Faulttree, F is the original fault tree, 
but in all subsequent calls it is an F-module. (It will not 
necessarily be a proper F-module.) Faulttree receives F as 
an argument and returns the F-module top and its probability. 
Sreduce performs all possible simple reductions on F, 
and if it reduces F to a basic event, Faulttree is finished. 
Otherwise, Faulttree will carry out further reductions using 
recursive pivotal decomposition. Findmodule searches for and 
returns 4a simple F-module Fin Fly foo eee elise cerns Bau the 


0 


F-module top. If no proper, simple F-modules exist, Fy = F. 


Pio a Copy Gf F 1S produced so that two fault trees can be 


Oe 
conditioned. At the end of the "if" block Fy remains in F 
but as a basic event with probability given by the pivotal 


decomposition computation. The comments "{dummy 1}" and 
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algorithm Faulttree (F); 


input: A fault tree or simple F-module F with associated 


basic event probabilities 


output: The top event of F-module top os Of F and its 


peobability 


begin 


While (|F| >1) do 


begin 


(F,p) « Sreduce (F); 
ice hie then Resanne(ryp) 


else 


end; 


end; 


begin 
(F — « Findmodule (F); 
Ch igmockect. Clg) Ss. t. t. 


FT Seeooy (hae 


BASIC; 


(Feo ee Conditron (7 e.,1); 
if (|F,| >1) then (e,+p1) « Faulttree (F)); 


{dummy 1}; 
(Fo-Po) + Concetion (Fy,e 


ifm@@|Fo| >L) then (e;,po) + Faulttree (F 


P4 © PiPy + (1 -p,)po: 
(ou Ot, uN 


mm 
Ce — BASIC; 
ee eee 
end J 


Return ‘EgiDa) 


Figure 2-1 Faulttree 


1 


FO lar 


0) 


"{dummy 2}" mark the spots where equation print statements 


can be inserted. 


This cycle of Sreduce, Findmodule, 


pivotal decomposition on an F-module is continued until all 


F-modules are completely reduced. 


Significant reductions in actual run times should be 


realized through the use of modularization. 


If a simple F- 


module can be located with s replicated events ina fault 


tree with r replicated events, 


can be applied to the F-module alone. 


Syl 


then reduction methods 


After reducing 


the F-module to a basic event, reductions continue on the 
remainder of the fault tree. Using these methods the original 


2° en By searching 


complexity factor of 2™ reduces to 2° + 
for F-modules and independently reducing each one, much time 
is saved. 

Actual storage requirements can be expected to be well 
below the upper bound of O(r|L|). Actual storage could only 
be this large if at each level of recursion during pivotal 
decomposition a copy of the original fault tree must be made. 
This cannot happen since at least one and frequently many 
events are removed at each conditioning step, thus gradually 
reducing the size of the fault tree as the level of recursion 
increases. Additionally, these operations are being performed 
on F-modules. Whenever a proper F-module is found, the size 
of the copy to be produced and stored is reduced. 

LS hecuce 

This algorithm is sufficient for completely reducing 
F if it contains no replicated events. Sreduce is shown in 
Figure 2-2. Sreduce does a depth first search in H to find 
any event e. with only unreplicated, basic events directly 
below. When such an Se is found it is reduced to a basic 
event, 35 (p) 1s computed, and all of the unreplicated, basic 
events can be disposed. As the algorithm backtracks to the 
top event, each F-module which has no replicated events is 
reduced to a single basic Gvent ] SUpomete ape o eed Ucermsc. 


Only remaining, non-trivial F-modules in F contain replicated 
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algorithm Sreduce (F); 
input: A simple F-module F with associated basic event 
probabilities 
output: If fully reduced, the F-module top with its proba- 
bility. Else, a partially reduced F 


begin 
fOr@al ee ecsEsiack ehaieduciblie”; 
put module top of F on stack; 
while stack not empty do 
begin 
let es be the top element of the stack; 
For each untraversed i « do 
begin 
eave 04 mm 
if sejeHeplicated then mark e- “inneducible" 
if ej; "reducible" and not BASIC then put e. 
av 
on stack and let e. <e.; 
end; J - 
remove e; from stack; 
if es "réducible" then 
begin 
+ 93 1 and mark ej BASIC; 
ease: Be} 
end; 
else mark top element of stack "irreducible"; 
end; 
feel hen. Retin (Le, ro} ip, ) 
else Return (F,undefined) 
end. 
Figure 2-2 Sreduce 
events. "{dummy 3}" is a marker for inserting the print 
statements for ee ea) The time complexity of a call to 


Sreduce is O(|L]). 
2. Findmodule 
This algorithm is a modification of Hopcroft's [Ref. 
18:p. 185] depth first search for biconnected components. 
The search for biconnected components is effectively carried 
oyehs, 2be al =e where H is derived from F, after performing all 


possible simple reductions, and es is the set of unreplicated 


3S 


basic event vertices. As a result only F-modules containing 
at least one replicated event are found. Although Findmodule 
locates any such F-module, it returns only simple F-modules 
to Faulttree. If a located F-module is not simple, Findmodule 
will restructure it into a simple F-module with an F-module 
top or perform some other type of restructuring before return- 
ing it to Faulttree. These special restructuring procedures 
are described in Section C of this chapter. The time complex- 
ity of this routine is O(|L|). Findmodule terminates as 
soon as an F-module is located. 
3. Condiitiening 

Great reductions in computation can be obtained by 
selective conditioning in Faulttree. After locating an 
F-module F, a replicated basic event e. is selected for 
conditioning. "Condition" is a procedure for making the 
associated reductions in F and is shown in Figure 2-3. 

Condition also uses a depth first search, but from 
the replicated event outward, transmitting the effect of 
conditioning on the replicated event to other events in F. 
The search is conducted in (E,D uB) Since other events both 
above and below an event to be removed may also be determined 
to be removable. Condition is configured for AND, OR, NOT, 
and 2-out-of-3 gates. However, addition of other types is 
easy. Any event to be removed from F is placed into the 
Stack. When event e. is removed from the stack, an outward 


search 1s conducted to find any other events to remove from 
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procedure condition (F,e;,x); 

input: A simple F-module F, a basic event e. to condition, the 

State of the condition x . 

SGerpuc. | ttecully reduced, the F=-module top and the state of 
the top event. Else, a partially reduced F 


begin 
put e; on stack; 
while stack not empty do 
begin 
remove ej} from stack; 
for all e- s.t. his e L do 
bégin 
if ((in-degree (e-) =1) or ((t. =OR) 
and (x ais) Or ((t. =AND) and 
(x =0))) then J 
begin 
if (e; = module top of F) then 
Return (te; ,0},x); 
put e. on stack; 
Hae eis NOT then x + 1l-x; 
end 
else 
begin 
dispose %;- 
ise (t+ = 2=-out-of-3) then 
jie 1) aie en ts = OR 
else t. = AND; 
end J 
end vi 
for all e+ s.t. &.. ¢€« L do 
be rol +3 
g 
1f e- unreplicated than put e. on stack; 
else dispose Le. J 
end J 
ite NOt tien x. 1l-x; 
dispose e. 
1 
end 
Return (F,undefined) 
end. 
Figure 2-3 Tong lito 
F. If events are not to be removed, their links to e. are 


disposed. An event which is unreplicated and connected into 


e; from below will be placed into the stack for removal from 
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F. The search looks upward from e5 to events - for.adai 
ie « L and performs logic checks. For example, if the 
state variable x = 1, and = OR, then ea 1s placed into the 
stack. NOT events change x to 1-x. 2-out-of-3 events are 
transformed into AND or OR events depending on the current 
value of x. If the search reaches the F-module top of F, 
F is returned as a basic event with p = 0 or l. If the F- 
module top is not reached in the search, F is returned, 
partially reduced from the form of the original argument. 
The time complexity of this search is O(|L|). 
4. The Select Procedure 

Printed equations can be used for multiple executions 
of top event probability computations. In this case, condi- 
tioning on basic events so as to minimize the number of 
equations written will enhance efficiency even if the running 
time of Faulttree is increased. One way to do this is to 
develop a "good" procedure for selecting a replicated event 
e. to condition. Various heuristics are possible such as 
choosing the e. with greatest out-degree or the greatest or 
least distance from the cut event. These qualities can be 
determined with a routine in O(|L|) time. A theoretically 


stronger heuristic is 


min (max|R. |) 
e,cE, jeJT 


where ER is the set of replicated basic events in F, J the 


set of biconnected components remaining in the two fault trees 
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after” condrtiening ew, and b the set of replicated events 

in biconnected component j. A "select procedure" was imple- 
mented to perform this. The procedure Cond MeEDONS»*" on e. 

using the algorithm Condition and creates the two fault trees 


and F Next, a depth first search is conducted in F 


Foi 
and F 


digs O01 
., counting the replicated events |R.{ in each bicon- 

ibat J 5 

HeGee@ COMpOneme J. Lhe biconnmected components of H|x, 

correspond to prime F-modules in F(x, and to components which 

will become prime F-modules after recursively reducing current 

F-modules. The maximum JR. | found in the two depth first 

anGi 


searches of F is saved for each e,- These steps are 


O01 1i 


repeated for all e, « E,, and that e,; that minimizes [R, | 


R! 
is chosen for conditioning. This heuristic myopically mini- 
mizes the upper bound factor max Mile over all F-modules and 
components which will become a eadiee. 
B. FAILURE PROBABILITY FUNCTION 

A second version of Faulttree was modified to print a 
set of equations which represent the failure probability 
et onmegnge eo algorithms Gremain the same except that 
probability computations are replaced with “print statements." 
These statements are inserted in Faulttree and Sreduce in 
the spots marked by "dummy" comments. Since numerical compu- 
tations are correctly ordered, so must be the printing of 
the equations. Faulttree must create an extra variable and 


PolitedimedWatrom Ou Storing the probability of the top 


event for F, since its normal storage space will be overwritten 
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by the probability of the top event for Fo: "Dummy 1" is 
replaced by a statement to print the equation which stores 
the conditional probability in this extra variable. The 
pivotal decomposition equation is printed by a statement in 
the line marked by "Dummy 2." Table 2 shows the statements 


to be substituted for "Dummy 1” “and tummy 279 in faugiteree. 


TABLE 2 


Printing Equations 


BLOCK Statement 
Dummy 1 XP[j3):=P[ 3]; 
Dummy 2 P(3] :=P{i] *XP[j] + (1 -P[ij) *Pi3]; 


In the table, j is the index of the F-module top while i is 
the index of the event conditioned. In Sreduce "Dummy 3" 
is replaced by a statement giving the equation for ce 
In this case, the printed statement assigns a value to 
"P[jJ]" by writing on the right hand side of the equation a 
function of the basic, unreplicated events. The function to 
be printed is dependent on be and is taken from Table 1-2. 
Although execution of g(p) is 0(2*|L|) just like the 
computation of g(F), actual time should be much less. Storage 
is also O(2 male an IneGrease LOM etews tensed ao a: oUlnac cures 
direct computation of g(F). Storagelomtwvarlables Imma (p) es 


Only O(r+N). Recall that r is the number of replicated 
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events which also yields the maximum level of recursion, and 
N is the total number of events in the fault tree. The r 

term results from creating an extra variable at each level 

of recursion to store conditional, top event probabilities. 
The number of equations written is directly related to the 
time complexity of computing g(F). The total storage require- 
ments are therefore of the same order as the time complexity 
of Faulttree, 1.e., exponential. In practice, it is hoped 
tt erNe MUMmber Or CqucerOns pweeduced is small enough that 


they can be evaluated efficiently. 


C. ENHANCEMENTS 

Proper application of Faulttree requires that F, whether 
an F-module or a fault tree, possess the properties of a 
fault tree. A general F-module does not necessarily meet 
this requirement while a simple F-module always does. Two 
enhancements to Findmodule, "event splitting" and "recon- 
figuration," are methods of dealing with non-simple F-modules. 
Event splitting can be applied to an F-module with a cut 
event of type AND or OR while reconfiguration is used for a 
cut event of type 2-out-of-3. The last enhancement reduces 
the number of equations produced by handling some simple 
reductions implicitly. 

Te avenemop Let ing 

When Findmodule locates a simple F-module F'’ with its 


F-module top e F' and e, are returned immediately to Fault- 


|e 
tree. If F’' is not simple, and ty = AND or OR, then event 
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splttting may be applied. Since siseneeso ie lo, e. fg E' 
must be linked into ey by Lip f ie mS Dp lage ey into two 


events ey and a2 such that a A = } = {2 


— 
t = ° 
eL'), ana ix,! = {Rey Ley J 


— tye eek ik? 

+ - A simple 
kjk, 

k Boke where aa is the 

F-module top. Findmodule returns F to Faulttree. Event 


k 


= 
Z 
-> 
Ley ie 


F-module F is formed by F = F‘ -e 


splitting works since 


Xp 1X, Meee NX = SF N(x 1X45 (isepaspes titers nx) 
LOG 
Xy = xy NX Vreeey NK, 
and since 
X) UXy Ureses Ux, = Xo U (X44 UX po Ureees Ux) 
fOr 
Xy = Xp UX, Vreeey UR, 


Figure 2-4 shows the structural changes made to the fault 
tree by event splitting. | 
2. Reconfiguration 
For a cut event ey of F-module F' with ty, ——2eeuL— 


of-3, three events e5 are linked into the cut event ey of 


F'. H' is a biconnected component of H (ignoring unreplicated 
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basic events) with cut vertex v,- If FEF" 1s not simple, rnen 
Since v, « H' exactly two of the Ge, € E', leaving one 

e. f E'. Let the two events in E' be denoted Sai and =p and 
let e. £ E' be denoted =i The possible states of the pair 
is as are (1,1), (1,0), (0,1), and (O8G@) cf whitenieiag) 
and (0,1) are indistinguishable to QL: F' will be replaced 
by Qe, and two basic events which will give an equivalent 
representation of the probability information stored in F'. 


To compute the needed probabilities a new top event es 


independent of F is created. The links Le : and Le , are 


1 2 
removed, disconnecting F' -e, from’ &. Links ange 
14 =o 
are formed to comnect F' ~e to e. via the pair fe. ,e. 
Z J y wil 
forming the new fault tree F. For os e E let ba = AND and 


call Faulttree to obtain 


P(1,l) = (g.(p) it, = AND) 


Let ee = OR and call Faulttree to obtain 
P((1,1) u (1,0) v(0,1)) = (g, (p) |t, = OR) 


ey is given a new event type which denotes a "reconfigured" 


event with nonhomogeneous inputs. Two new basic events eo 
il 
° = ean 
and =o aremaecachedm lee Qe, by gees e L. oy, = P(1,l) 
while Pp,» = P((1,0) vu (0,1)) giventsy 
2 


Pit) 1G ap = EA CL) U (157-05) U CO. 18).) = P (is) 
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Po fF — 7p te, +e, +e, . Future computation for 9), (p) will 


5, (Pp) = Pa, is Pg Re, Fig?) 


Figure 2-5 exhibits the resulting structural modification 
to the fault tree. 
See hep Lacement 

Another enhancement made was a change to Sreduce. 
Instead of computing PAS, for a logic gate e; with only a 
Single basic event e; below, Os can simply be replaced by ea, 
7c. , oe + es, Ps “ Das and dispose e;. This is especially 
felpLul ineforming the expression for g(p) since one equation 


is eliminated each time this replacement is made. 
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III. IMPLEMENTATION AND COMPUTATIONAL RESULTS 


The computer codes for all programs are written in 
Berkeley 3.0 Pascal to take advantage of the recursive feature 
of this language. All tests on these programs were conducted 
on a VAX 11/780 computer under the Berkeley 4.0 Unix operating 
system. The main algorithm of the previous chapter was 
transformed into the dual purpose program "Faulttree" which 
can be used to directly compute g(F) or produce a subroutine 


Somedining the equations for g({p) . 


A. DATA STRUCTURES 

The data structure used to represent the fault tree is 
effectively (E,L MET) That is, both upward and downward 
pointing links are maintained out of each event. Some storage 
could have been saved using only (E,L) and creating L when 
needed, but this would have greatly increased the complexity 
of the program. Maintaining both L and L allowed flexibility 
for the various types of searches conducted in F during reduc- 
tions and other operations. A depth first search using (Gye) 
is performed in the simple reduction subroutine "Sreduce,”" 
a depth first search using Gist We esis performed in the 
subroutine "Condition," and a depth first search using (V,L) 


_ ~<- 
is performed in the subroutine "Findmodule" where (L uL) 


1s used to simulate L. The use of ave L) was especially 
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convenient in Condition. This allowed a depth first search 
to remove events by starting at the basic event being con- 

ditioned rather than beginning the search at the top event 

which would require more time. 

Because pivotal decomposition and other algorithms used 
deal with dynamic fault trees by restructuring and making 
reductions, the internal data structure for the computer 
program should facilitate changes to F. This facilitation 
was accomplished by the use of linked lists to represent 
the events and links of F. Two features available in Pascal 
which were useful for storing these linked lists are "records" 
and "pointers." Two types of records were designated event 
records and ltnk records. A record allows the storage of 
different data types within a single entity. Integers, reals, 
ee, and other types can be stored simultaneously in each 
record. Two pointer types were designated event record 
potnters and tink record potnters. The pointers were used 
to connect events and links in the computer representation 
of the fault tree, and were also used to move from one event 
to another during searches through F. 

Tables 3-1 and 3-2 list the information stored in event 
and link records. 

An event record is created for each e. in F. Each event 
record has an up pointer and a down potnter. The up pointer 
points to the first link of a set of links equal in number 


to the out-degree of e.. Each link is connected to the next 
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Tes eo 


Event Record 


Variable Data Type 

identity integer 

type integer 

up pointer pointer to link record 
down pointer pointer to link record 
ec) eysveyns bie real 


(Gor Loma) 


TABLE 3-2 


Link Record 


Variable Data Type 
event pointer pointer to event record 
next link pOotmeer to link record 


link by the variable next link. Every link in the data 
structure points to an event record via the variable event 
poenvleras Micwevent recordsgpomted to represent the = 

which are linked from e. by tha: 3 eL}. The down pormeer 
points to the first link of a set of links equal in number 

to the in-degree of e.. These links are joined to one another 
in the same way, and each points to an event record repre- 


senting an e, which is linked into e, by {Rs : t, eb}. 


Figure 3-l gives a visual representation of this structure. 
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Figure 3-l Linking of Events 
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ki 
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Because of this data structure, it is easy to change the’ 
fault tree during a search. Reductions can be made by delet- 
ing a link and reconnecting the links on either end of it, 
or by setting pointers to "nil." Event types or identifications 
can be changed or newly computed basic event probabilities 
stored. (Probabilities only need to be stored in event 
records when direct computation of system failure probability 


is performed.) 


B. PROGRAMMING 

Another feature of Pascal which was useful was its ability 
to call procedures recursively. This capability was used 
for pivotal decomposition so that recursive calls could be 
made in the program Faulttree until F was reduced completely. 
Although recursion could have been used in some subroutines, 
it uses more time and storage [Ref. 29: p. 300] than non- 
recursion and therefore was used only for pivotal decomposition. 

In Pascal, records may be created and destroyed over the 
course of a program so that storage is only used when needed. 
This can be accomplished by use of the embedded functions 
"new" and "dispose." Some conservation of storage must be 
utilized in Faulttree when solving any large problems. Using 
new when making a copy of F and dispose during the reductions 
On F is one way to conserve storage. This way is time con- 
suming, however, since invoking new, slows the program, and 
extra searches which would otherwise be unnecessary are re- 


quired to reach all events and links for disposals. To 
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minimize storage and time concurrently, two arrays were 
created at the beginning of the program, one to store event 
records and the other to store link records. All records 
needed for the entire program are created and placed into 
these arrays. Records are re-used from these arrays by saving 
the index of the last record currently in use. Whenever a 
new record is needed it can be taken from the next point in 
the array beyond the index. Prior to making a copy of F in 
Faulttree, the current value of the index is saved in another 
variable. This copy of F is then produced, increasing the 
index value. The copy is passed as an argument to Faulttree. 
Upon return from Faulttree the copy is no longer needed, and 
the index can be reset to its prior value. Meanwhile, as 
reductions are made in Sreduce and Condition, the program 
effectively "burns bridges" by setting pointers to nil where 
events beyond these pointers are to be removed. 

F-modules are dealt with directly without being discon- 
nected or removed from F. Faulttree and its subroutines pass 
arguments in the form of F-modules. This is actually accom- 
plished in the program by passing a variable containing a 
pointer to the F-module top. The subroutines treat the F- 
module as a fault tree by never searching above the F-module 
BOD. 

In the subroutines Sreduce and Condition, some sections 
of the code were written in block format. That 1s, sections 


Of code can be removed or inserted depending on the event 
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Eypes CO be repregented in the fault taee. These blocks wall 
make it easy to modify this program for use of other specific 


event types by insertion of the proper blocks of code. 


Om INPUT AND OUTPUT 

The input for Faulttree is a data file describing F. 

The first line of the data gives integer values for the number 
of events and the highest event identification number. The 
remainder of the file gives the detailed event data. Each 
event occupies two lines of the file. The first line gives 
three integers: event identification, event type, and number 
of events directly below. The second line lists the events 
below by identification or gives event probability for a basic 
event. Figure 3-2 is a sample input data file. 

Faulttree outputs either the system failure probability 
WaececocSoOr CGuUat1ONs LOrming an expression for g(p). This 
expression is in the form of a three part Pascal program 
"PTE" (Fault Tree Expression). Faulttree prints the heading 
"FTE-heading" and a subroutine "TEP" (Top Event Probability) 


for FTE while the main program "FTE-main" is kept permanently 


on file. TEP contains the equations which are printed by 
Pama sminmereducing H. It is configured to receive the 
argument p from FTE-main.and return g(p).. TEP and FTE-main 


use variables and arrays declared in FTE-heading. FTE- 
heading is printed by Faulttree after reductions on F are 
complete. Two arrays are declared in the heading. The 


primary array has a component for each event in F plus any 
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Prguvems —2 Sample Input Data File 


other dummy events which may have been created during event 
splitting or reconfiguration. The secondary array is used in 
pivotal decomposition to store the conditional probability 
for an event while a probability is computed for the same 
event given the opposite condition. The size of this array 
is no greater than the deepest recursion level of Faulttree. 
The heading is printed after TEP since array sizes for FTE 
are not available in Faulttree until F has been completely 
reduced. FTE-main isfa routine whiteheads pero ehommaeme 
data file and invokes TEP to compute Gp) ma tene TE SBe acm, 


TEP, and FTE-main are combined to create FTE, FTE is ready to 


By/A 


be compiled and executed. FTE reads from the same data file 
Piet heulttrecsrceds but onlyeextracrs the values. for.p.in 
the process. FTE outputs.the probability of the top event 
but can be usefully configured to compute event importances 


Oct LOmmsOrner ecomputationsswhtch require gi(p) . 


D. PROGRAM TESTING 

Faulttree was tested on four fault trees, two of which 
are hypothetical, "Exampl" and "Examp2," and two of which are 
actual models of systems used in practice. One system, 
"Aircraft," represents the combat attrition of a single 
aircraft while another, "Nuke," represents a nuclear reactor 
accident. Input data files were created for the four fault 
trees, and Faulttree was executed for each to directly com- 
pute g(F). Faulttree was again executed for each data file 
to produce four versions of FTE. Descriptions of the fault 


trees and data from test runs are given in Table 3-3. 


PAB GE S— 3 


Test Runs 


Exampl Examp2 mawocssre Nuke 
events 64 whe Be hs, 339 
rep. events 7 NES + 59 
GLU Seah Or0.02. Om 3 7.) 0.001 
events stored lle 550 178 2586 
FTE equations 36 102 51 js 3.3 
FTE CPU time 0.000 C03 3 0.000 
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Nuke, described in the table, is actually a revised version 
of the original data. The original data contained 345 events 
of which 65 were replicated. Further explanation of the 
modification of this data is given below. 

The table gives CPU time in seconds. All CPU times 
reported in this thesis exclude time required for input/output. 
As a measure of storage the maximum number of event records 
needed to compute each problem is included as “events stored." 
Also, the number of equations printed into FTE is listed. 

For all of the fault trees except Nuke, FTE was successfully 
compiled and -executed, computing the system failure proba- 
bility in less time than required by Faulttree. The times for 
execution of FTE are given in Table 3-3 in the row denoted 

FTE CPU time. 

Initial tests on Nuke were made using the original data 
file. The first solution attempt for direct computation of 
g(F) required more than five hours of clock time for Fault- 
tree during a low utilization period on the VAX. Exact CPU 
time was not determined. When Faulttree was reexecuted to 
produce FILE, over 600,000 equations vwerewemmred inte suEEe 
This subroutine was too large to be compiled. Further tests 
were conducted with this dataalone with the objective of re- 
ducing the number of equations being printed. First, data 
was generated from Faulttree to see what size modules were 
being located and to determine the extent of the reductions 


being accomplished by pivotal decomposition. It was found 
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that after the first call to Sreduce, which removed only 

Six events, the fault tree was a prime F-module with all 65 

replicated events and 339 of the original events still intact. 
several successful and unsuccessful techniques were imple- 

mented for reducing the size of TEP. The replacement proce- 

dure was implemented in Sreduce, and output was reduced to 

about 425,000 lines. Up to this point, replicated events 

for conditioning had been selected randomly. This worked 

satisfactorily for small problems. Various heuristics for 

choosing replicated events e. for conditioning were tested 

with Nuke. Three of these which required linear time com- 

plexity were choosing e. with (a) the greatest out-degree, 

(b) the least distance in links from the top event, and 

(c) the greatest distance in links from the top event. 

Implementation of heuristic (a) reduced output to about 

417,000 lines while (b) and (c) increased the amount of output. 

Next, the reconfiguration procedure was developed, and it 

reduced the output to about 415,000 lines. The heuristic 

for computing min (max|R.|) for all replicated basic events 

e, cE Jed 

was then added. This enhancement reduced output to 225,000 

lines of output. Finally a crude graphical representation 

of the fault tree was produced with the hope that some visual 

clue might aid selective conditioning. Two sets of four 

replicated basic events were found. Every event in each set 

was linked to the same two intermediate events of four 


intermediate events total. The eight basic events were 
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replaced in the input data file by two basic events after 
hand-computing probabilities for the two new basic events 
based on the union of the four events each one replaced. 


With this revised data, Faulttree produced only 153,733 


equations. 
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IV. RESULTS AND CONCLUSIONS 


Pivotal decomposition has been shown to be a good method 
for computing system failure probabilities in fault trees, 
ateléeast for ene problems analyzed here. The basic algorithm 
in conjunction with several enhancements has computed exact 
probability for a fairly large fault tree having 345 events 
with 65 of them replicated. Some of these enhancements 
were key factors in reducing the amount of computation re- 
quired by the basic algorithm. If other methods of reducing 
this computation can be applied to the computer code developed 
in this thesis, this program will be capable of being used 


io dmeoo | me analysis Of even Warger=tault trees. 


ae FLNDINGS 

Space complexity was not a limiting factor in solving 
any of these fault trees. The greatest use of storage 
occurred in computing g(F) for Nuke. The total number of 
event records created was less than eight times the amount 
needed to store the original fault tree alone. Since the 
recursion level was noted to exceed 43 at some points during 
execution, the factor of eight is less than might be expected. 
The system storage requirements for a high recursion level 
such as this are probably more significant than the storage 
of problem data. The greatest limiting factor for computing 


probabilities in large fault trees is the time complexity 


3) f) 


Ore | which also gives the complexity for the length of 
TEP. In this complexity figure, the factor |L| is insigni- 
ficant. Efforts to reduce complexity must be directed 
toward the factor 27. The fault tree aspects which most 
influence this factor are the number of replicated events and 
the structural characteristics of the fault tree which allow 
or make difficult its modularization. Even a fault tree with 
a large r value should not be difficult for Faulttree to 
reduce if it has one of the following three properties: 
(a) No prime F-modules contain a large r, (b) r is greatly 
reduced after a few recursions of pivotal decomposition, 
or (c) non-complex F-modules (low r per F-module) begin to 
form after a few recursions of pivotal decomposition. 
Faulttree and FTE have been shown to be useful for the 
three fault trees Exampl, Examp2, and Aircraft. Faulttree 
computed top event probability in a fraction of a second, 
and FTE used less time. As a test of applicability FTE- 
main was modified to compute Birnbaum importances for every 
basic event in a given fault tree. For each basic event this 
requires two computations of top event probability by TEP. 
The number of basic events and time in seconds to compute all 
their Birnbaum importances are shown in Table 4 for the three 
fault trees. 
Examp2 is the most complex fault tree of the three as 
evidenced by comparing the numbers of replicated events and 


the CPU time required by g(F) for the three fault trees. 
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TABLE 4 


Time to Compute Birnbaum Importances for All Basic Events 


Examp1l Examp2 Aeeirat t 
basic events 34 36 61 
CPU time 0201 ie O67 ORO 17 
(See Table 3-3.) For Examp2, 72 computations of g(p) are 


made in about one-fifth of the amount of time required to 
compute g(F) directly. 

FTE was unable to be tested on Nuke due to the size of 
the subroutine TEP produced by Faulttree. Direct computation 
of g(F) was successful, although it required much CPU time. 

The structure of this fault tree impeded the formation of 
proper F-modules after reductions from conditioning. In fact, 
following as many as five conditionings, no replicated events 
are eliminated except for the one conditioned, and no proper 
F-modules are created. 

Although the version of TEP produced with Nuke is presently 
too large to compile and use, it was reduced in size by more 
than 75 percent from the first execution by several innovations 
which were discussed in Chapter III. The large reductions 
accomplished by the implementation of replacement show that 
there are many instances of intermediate events with only 
one unreplicated basic event below. Although this technique 


was trivially easy to use, it was highly significant in 
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reducing the size of TEP. The addition of reconfiguration 
to the program reduced TEP by less than one percent. This 
may seem insignificant; however, Nuke only has three 2-out-of-3 
events. Of the three, one is reduced and disposed in the 
first call to Sreduce leaving only two in the fault tree for 
pivotal decomposition. Before implementing reconfiguration 
if the cut vertex of an Femodulesh © Fayas ay2soursaae 
event, and one of the events connected into the cut vertex 
was not in F', then F' could not be used but instead served 
to complicate F and impede the computational process. It 

is believed that reconfiguration will significantly reduce 
the actual complexity of any fault tree with many 2-out-of-3 
eVemron 

The heuristic for selecting events to condition reduced 
the size of TEP by 45 percent. Although this heuristic results 
in increased time complexity for Faulttree, the great reduc- 
tion in the size of TEP is worthwhile. 

It is hoped that pivotal decomposition, combined with 
techniques discussed in this thesis and other techniques, 
will be useful in the analysis of large fault trees. More 
methods of making reductions and locating F-modules exist. 
However, time limitations preclude their application in this 
thesis. It is believed that the addition of some of these 
other methods to Faulttree would greatly increase the range 


Of solvable problems. 
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B. SUGGESTED FURTHER RESEARCH 

There are many further enhancements to the pivotal 
decomposition method of fault tree probability computation 
which could increase the usability of Faulttree. 

This thesis used the 2-out-of-3 event to demonstrate how 
techniques for K-out-of-N events can be applied. Specific 
K-out-of-N events would be easy to implement in the existing 
program. Other possible enhancements could be the addition 
of algorithms to compute probabilities of a general K-out-of-N 
event during simple reductions. To be of any practical use, 
this algorithm must handle a set of input events with unequal 
probabilities. In conjunction with this there should be a 
method for reconfiguration of an F-module with a general K-out- 
Of-N cut vertex. 

There exist other methods of locating F-modules and 
generalizations of F-modules that can locate more useful 
structures which are overlooked by the depth first search 
method applied here. The method used in this thesis only 
locates an F-module which is attached to the fault tree 
by a cut vertex. Wood [Ref. 30] uses a search for tri- 
connected components in solving network reliability problems, 
and this method could be used to locate F-modules connected 
by separating pairs. Applied to this algorithm for fault 
trees, additional F-modules would be located which aren't 
being located by the present method. For example, the two 


sets of four replicated events which were reduced to two 


Gre 


replicated events by hand computation were both examples of 
tri-connected components which would have been detected and 
reduced as F-modules thus reducing the overall problem 
complexity. 

It may be sufficient in many applications to compute 
g(F) approximately or to obtain upper and lower bounds on 
g(F). Corynen [Ref. 26] is able to solve large problems and 
obtains accurate bounds without considering all branches of 
the backtrack search structure. In Faulttree, lower bounding 
could be accomplished by saving the product P, of the proba- 
bilities of all events which have been conditioned up to 
recursion level k. The most recent value of Py fOr saielia ls 
is saved so that it is available during backtracking and 
further recursion. When PL < 6 for some small 6 > O, then 
further recursions are unnecessary since the term in the 
pivotal decomposition algorithm is approaching zero. The 
algorithm can backtrack, and the term associated with the 
current recursion need not be added into the computation 
of g(F). If used, this method removes Faulttree from the 
realm of Gxact methods, and it mighiwe] fears secouuce tie 
resulting expression for computation of system failure proba- 
bility when the Ps values vary over a wide range. 

There is surely a lower bound on the number of equations 
which must be written to give an expression for g(p) for a 
particular fault tree. For some large fault trees the lower 


bound will be too large thus preventing the compilation of 
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the subroutine TEP. In this case TEP can be subdivided into 
multiple subroutines to be compiled separately and linked for 
execution. 

By including some of these suggested additions to the 
work already accomplished, it is believed that Faulttree and 


FTE will be useful tools for fault tree analysis. 
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